Step 2: base64 session?

I looked at the session cookie and realised it was a base64 encoded string, so I decoded it. The result, looked like an md5 hash.

Step 3: Burp Decode

You can also use burp's built in decoder to base64. I created a new account to test my theory and yep, same thing again:

Step 4: Testing the theory

I opened up CyberChef and placed in my plaintext username: "admins"

and set it to be MD5 hash'd and then encoded with Base64 and got an output that looked very much like the session cookie I had earlier:

Now, I set the user "admin" and ran it through the hashing + encoding process:

Step 5: Inserting the forged cookie

I inserted my forged cookie (which belonged to "admin") and got the resulting flag in the response. Yes that's right, the app is using a session cookie calculated by base64(md5(username)) and not even looking at the password.

Thanks for looking!

🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺